Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-minimum-3.7.19-93.el6_1.2.noarch selinux-policy-doc-3.7.19-93.el6_1.2.noarch selinux-policy-3.7.19-93.el6_1.2.noarch selinux-policy-targeted-3.7.19-93.el6_1.2.noarch selinux-policy-mls-3.7.19-93.el6_1.2.noarch How reproducible: always Steps to Reproduce: 1. look into following file: /usr/share/selinux/devel/include/services/cups.if 2. search for the definition of following interface: cups_backend 3. compare the number of parameters described in the header and used in the body ######################################## ## <summary> ## Setup cups to transtion to the cups backend domain ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`cups_backend',` gen_require(` type cupsd_t; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(cupsd_t, $2, $1) allow cupsd_t $1:process signal; allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; cups_read_config($1) cups_append_log($1) ') Actual results: * the number of parameters described in the header is not equal to the number of parameters used in the body Expected results: * the number of parameters described in the header is equal to the number of parameters used in the body
/usr/share/selinux/devel/include/services/virt.if ####################################### ## <summary> ## Execute a domain transition to run virt. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`virt_run',` gen_require(` type virtd_t; type qemu_t; ') virt_domtrans($1) role $2 types virtd_t; role $2 types qemu_t; ')
I will backport fixes from Fedora.
/usr/share/selinux/devel/include/admin/accountsd.if ######################################## ## <summary> ## All of the rules required to administrate ## an accountsd environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`accountsd_admin',` gen_require(` type accountsd_t; ') allow $1 accountsd_t:process { ptrace signal_perms getattr }; read_files_pattern($1, accountsd_t, accountsd_t) accountsd_manage_var_lib($1) ')
/usr/share/selinux/devel/include/services/devicekit.if ######################################## ## <summary> ## All of the rules required to administrate ## an devicekit environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed to manage the devicekit domain. ## </summary> ## </param> ## <param name="terminal"> ## <summary> ## The type of the user terminal. ## </summary> ## </param> ## <rolecap/> # interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') allow $1 devicekit_t:process { ptrace signal_perms }; ps_process_pattern($1, devicekit_t) allow $1 devicekit_disk_t:process { ptrace signal_perms }; ps_process_pattern($1, devicekit_disk_t) allow $1 devicekit_power_t:process { ptrace signal_perms }; ps_process_pattern($1, devicekit_power_t) admin_pattern($1, devicekit_tmp_t) files_search_tmp($1) admin_pattern($1, devicekit_var_lib_t) files_search_var_lib($1) admin_pattern($1, devicekit_var_run_t) files_search_pids($1) ')
######################################## ## <summary> ## rw any files inherited from another process ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`files_rw_all_inherited_files',` gen_require(` attribute file_type; ') allow $1 { file_type $2 }:file rw_inherited_file_perms; allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; ')
####################################### ## <summary> ## The per role template for the openoffice module. ## </summary> ## <param name="user_role"> ## <summary> ## The role associated with the user domain. ## </summary> ## </param> ## <param name="user_domain"> ## <summary> ## The type of the user domain. ## </summary> ## </param> # interface(`openoffice_plugin_role',` gen_require(` type openoffice_exec_t; type openoffice_t; ') ######################################## # # Local policy # domtrans_pattern($1, openoffice_exec_t, openoffice_t) allow $1 openoffice_t:process { signal sigkill }; ')
######################################## ## <summary> ## All of the rules required to administrate ## an plymouthd environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`plymouthd_admin', ` gen_require(` type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; type plymouthd_var_run_t; ') allow $1 plymouthd_t:process { ptrace signal_perms }; ps_process_pattern($1, plymouthd_t) files_search_var_lib($1) admin_pattern($1, plymouthd_spool_t) admin_pattern($1, plymouthd_var_lib_t) files_search_pids($1) admin_pattern($1, plymouthd_var_run_t) ')
######################################## ## <summary> ## All of the rules required to administrate ## an setroubleshoot environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed to manage the setroubleshoot domain. ## </summary> ## </param> ## <rolecap/> # interface(`setroubleshoot_admin',` gen_require(` type setroubleshootd_t, setroubleshoot_var_log_t; type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; ') allow $1 setroubleshootd_t:process { ptrace signal_perms }; ps_process_pattern($1, setroubleshootd_t) logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) files_list_pids($1) admin_pattern($1, setroubleshoot_var_run_t) ')
####################################### ## <summary> ## Role access for nsplugin ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="user_role"> ## <summary> ## The role associated with the user domain. ## </summary> ## </param> ## <param name="user_domain"> ## <summary> ## The type of the user domain. ## </summary> ## </param> # interface(`nsplugin_role',` gen_require(` type nsplugin_exec_t; type nsplugin_config_exec_t; type nsplugin_t; type nsplugin_config_t; ') nsplugin_role_notrans($1, $2) domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) ')
* samba_admin() describes 2 parameters in the header but uses 3 parameters in the body * seutil_role_allow_setfiles() describes 2 parameters in the header but uses only 1 parameter in the body
Fixed in selinux-policy-3.7.19-107.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html